Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfa6a90c37a739ae…

MALICIOUS

PDF

74.1 KB Created: 2021-02-06 08:38:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-04-10
MD5: ab917410e6354386c6d784b347ca3b97 SHA-1: d1a3dce48b5d74a701d3eebadcd9b4069b644ffd SHA-256: dfa6a90c37a739aeb0dc626ec452e80c69ea8c7022a6c6b0483ad7073195598f
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and a high-confidence ML classifier flagged it as malicious. It also features a lure related to 'best android games 2018 metacritic' and redirects to a URL that appears to be an SEO redirector, strongly suggesting a phishing or malware distribution attempt. The ClamAV detection further solidifies the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/aws?utm_term=best+android+games+2018+metacritic PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4494433/normal_5fef0fab1ee3f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4503787/normal_5ff3e8ef617fc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4450040/normal_5ffc2c6440fa8.pdfIn PDF document text
    • http://it50discount.pro/rovuzisuvolofajoxekilerawnvpt.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4486200/normal_5fde11186be1f.pdfIn PDF document text
    • http://keto-menu.online/succeed_in_cambridge_english_proficiency_8_practice_testswh4gp.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4455380/normal_5fff096d09c83.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459028/normal_5fd7bb44c0d4c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478933/normal_600e2ff2c4a50.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/mujesogi/andante_affettuoso_sheet_music.pdfIn PDF document text
    • https://s3.amazonaws.com/sifawekujiki/loretedulaxubofuwej.pdfIn PDF document text
    • http://petizitopebil.epizy.com/guidelines_coumadin_therapy.pdfIn PDF document text
    • https://s3.amazonaws.com/wusigipufuvowix/aloha_pos_6._7_manual.pdfIn PDF document text
    • http://karajifaderiwow.epizy.com/nrega_card_number_format.pdfIn PDF document text
    • https://s3.amazonaws.com/roxawo/lugisisamobinozo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e499.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE499 5796 bytes
SHA-256: 755130162d5c604ca3192f128f5339bc32addcda7977a55db4f40ce1aae3b625
font_01_sfnt_off0000f841.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF841 10308 bytes
SHA-256: 5980d9fbedbcbd1f67dcb1de4209e49099965062fd86adae04773d6766a61abe